Maintainability of FIM Sync rules is probably one of the most often raised issues by the customers, especially when the rules were developed by someone else. For this reason, I try my best to make the rules as modular and self-documenting as possible. Recently I came across Aspect Oriented Development framework, which I believe will go a long way in improving the quality of my deliverables. In this blog I would like to share my experience in using PostSharper to improve expressiveness and modularity of FIM Sync Rules. Of course, the framework is applicable to a wide range of scenarios. Before I go any further I would suggest that you explore https://www.sharpcrafters.com/ for some ideas and samples of how Aspect Oriented Development could benefit you. In a nutshell though, the Aspect model allows us to focus code on what matters, thus clearly expressing the intent of our code, while modularizing cross-cutting concerns.

Let me show you, as an example, a method I recently re-factored using Aspects. The main intent of the function is to determine whether an AD account could be safely deleted. The method leverages two helper methods which evaluate the status of the identity from AD and HR point of view. The details of the implementation are not important here. What is important that this method is only applicable to certain types of accounts (normal user objects and not system accounts, etc. ), and that it requires userAccountControl attribute to be passed to it. I also anticipate that more granular rules will be applied in the future to filter the application of this function.

So without Aspects, I would typically create multiple if conditions which would determine if the object meets certain requirements and that all required parameters where passed to the method. Trust me when I say this, that doing this would significantly reduce the readability and maintainability of this code. In addition, I have several other methods which may require the same logic.

So with PostSharp I created several Aspects (ApplicableToPrimaryAccontsOnlyAspect and RequiresUserAccountControlAttributeAspect), which are declaratively applied to the method. The Aspects themselves are implemented as separate modules (classes) which could be re-used declaratively throughout my project. The Aspects are “weaved” into the method code by PostSharper and are executed on the method entry boundary.

As you can see, the intent the the pre-conditions of the method are very clearly expressed, thanks to the Aspects.

[ApplicableToPrimaryAccountsOnlyAspect]
[RequiresUserAccountControlAttributeAspect]
public static void ARSSafeToDeleteFlagRule(CSEntry csEntry, MVEntry mvEntry)
{
    if (AreActiveDirectoryConditionsForSettingSafeToDeleteFlagMet(csEntry) &&
        AreHRConditionsForSettingSafeToDeleteFlagMet(mvEntry))
        {
                mvEntry["SafeToDeleteFlag"].BooleanValue = true;
        }
        else
        {
                mvEntry["SafeToDeleteFlag"].BooleanValue = false;
        }
}

Here is the implementation of the ApplicableToPrimaryAcccountOnlyAspect.

There are two points worth mentioning here:

1. In the OnMethodBoundaryAspect Aspect we have access to the parameters passed to the method, hence the parameter validation logic could be extracted from the main method (by main method here I mean the method to which the Aspect is attached).

2. Based on the outcome of the validation logic, we can change the flow behavior of the main method. In this example, if the account is not Primary I simply exit the main method.

using System;
using PostSharp.Aspects;
using Microsoft.MetadirectoryServices;

[Serializable]
public class ApplicableToPrimaryAccountsOnlyAspect : OnMethodBoundaryAspect
{
        public override void OnEntry(MethodExecutionArgs args)
        {
            var csEntry = args.Arguments[0] as CSEntry;
            if (csEntry == null)
            {
                throw new Exception(
                    "ApplicableToPrimaryAccountsOnlyAspect received unexpected argument, was expecting CSEntry");
            }

            if (!csEntry["AccountClassification"].IsPresent)
            {
                throw new Exception(
                    "ApplicableToPrimaryAccountsOnlyAspect received a CSEntry without classification");
            }

            if (!csEntry["AccountClassification"]
                .StringValue.Equals(GlobalSettingsConfig.Constants.PrimaryAccountCode))
            {
                args.FlowBehavior = FlowBehavior.Return;
            }
        }
}

References: https://www.sharpcrafters.com/postsharp/documentation

The objective of this blog is to provide FIM Synchronization Service integration testers with tools to automate validation of projection and join operations.

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm

Integration testing Pattern

FIM Sync Service integration pattern follows a simple model

1. Introduce changes to the connected systems
2. Invoke run profiles
3. Validate that projection, join, attribute flow rule, etc. rules were executed as expected

Ideally all 3 parts should be fully automated, but in this blog we will look at automating step 3. For automation of run profiles from C#, see my other post here.

What utilities do we need to make assertions about the correctness of rule execution?

For simplicity sake, let’s assume that we are working with two connected systems: HR (SQL table) and Active Directory, and that we wrote two helper classes: HRHelper and ActiveDirectoryHelper, which automate testing of those systems (i.e. allow us to add, delete, modify objects for testing). Let’s also assume that HR projects, and AD joins on employeeID. In order to ensure that our FIM rules are configured properly (in an automated fashion), we will need the following facilities:

1. MetaverseHelper Class, which allows us to locate MVEntries based on anchor attributes
2. ConnectorSpace.Helper Class, which allows us to check if a csEntry identified by a DN is linked to an MVEntry, previously located by the MetaverseHelper Class

In our example, if HR Record was successfully projected, then we should be able to locate in the Metaverse, one and only one, MVEntry which contains the employeeID in question (assuming, there exist and import attribute flow which sends emploeeID to the Metaverse). Also, if Active Directory MA produced a join, then we should be able to locate a link between the CSEntry and the MVEntry.

Code sample below illustrates this pattern.

// Introduce changes to the connected systems

var dn = ActiveDirectoryHelper.CreateNewAccount(ADAccountInfo adAccountInfo);
var employeeID = HRHelper.CreateNewHRRecord(HRAccountInfo hrAccountInfo);

// Run FIM Sync Cycle 

RunProfileInvoker.RunFullCycle();

// Validate Projection and Joins

mms_metaverse mvEntryFoundByDN;
mms_metaverse mvEntryFoundByEmployeeID;

// Assumes that there is an import attribute flow of employeeID to the Metaverse

Assert.IsTrue(MetaverseHelper.TryToGetMVEntryByEmployeeID(employeeID, out mvEntryFoundByEmployeeID));

// Assumes that there is an import attribute flow of distinghuishedName to the Metaverse

Assert.IsTrue(MetaverseHelper.TryToGetMVEntryByActiveDirectoryDN(dn, out mvEntryFoundByDN));

// Make sure that the two queries above returned the same MVEntry, thus confirming the join.

Assert.IsTrue(mventryFoundByGUID.object_id == mvEntryFoundByEmployeeID.object_id);

// As an extra check, confirm that the csEntry corresponding the AD DN is in fact linked to the MVEntry 

Assert.IsTrue(ConnectorSpaceHelper.IsCsEntryConnectedToMVEntry(
		mvEntryFoundByDN.object_id,
 		dn,
		ActiveDirectoryMAName);

Important Note on accessing FIMSynchronization database

Sample code provided in this blog makes direct calls to the FIMSynchronizationService database. Such direct access is not supported in the production environment, hence the samples provided here should only be used in a test environment.

Metaverse Helper

Physically FIM Metaverse manifests itself as mms_metaverse table in the FIMSynchronizationService database. Each Metaverse attribute is represented as a column in this table (ex. employeeID). Using Entity Framework, it is fairly simple to define helper methods to query this table.

Sample below assumes that both employeeID and activeDirectoryDN (distinghuishedName) are flown into the Metaverse.

namespace FIMTestCasesDriver.EnvironmentHelpers.FIM
{
    using System;
    using System.Linq;

    public static class MetaverseHelper
    {
        private static readonly FIMEntities FIMEntities = new FIMEntities();
        
        public static bool TryToGetMVEntryByEmployeeID(string employeeID, out mms_metaverse mvEntryOut)
        {
            try
            {
                mvEntryOut = FIMEntities.mms_metaverse.AsNoTracking().Single(
   mvEntry => mvEntry.employeeID == employeeID);
                return true;
            }
            catch (Exception)
            {
                mvEntryOut = null;
                return false;
            }
        }

        public static bool TryToGetMVEntryByActiveDirectoryDN(string dn, out mms_metaverse mvEntryOut)
        {
                      
            try
            {
                mvEntryOut = FIMEntities.mms_metaverse.AsNoTracking().Single(
                    mvEntry => mvEntry.activeDirectoryDN == dn);
                return true;
            }
            catch (Exception)
            {
                mvEntryOut = null;
                return false;
            }
        }
    }
}

See my other post for the explanation on why the AsNoTracking option was used.

Asserting Referential Relationship in Metaverse

Often FIM is required to maintain or calculate hierarchical relationships. In order to write integration tests, which validate our reference building logic we will need another helper method.

Internally FIM maintains referential relationships in the mms_mv_link table, which has a very simple structure. For example, the first row of the sample data depicted in the screenshot could be interpreted as – MVEntry identified as CFD95…. is a direct report of an MVEntry of CBD95… The object_id and reference_id could in turn be linked to the mms_metaverse table to get additional information.

Testing Pattern

In the arrange part of the test, we would set a reference attribute value in a connected system. The sample below creates a new AD account by using a helper class ActiveDirectoryStateMachine, and links this account to an existing account by populating value of manager attribute. This is followed by a series of Asserts, which ensure that we are dealing with a brand new account for the direct report, and that the MVEntry for the manager exists.

Execute FIM Run profiles - RunProfileInvoker.RunFullCycle();

The assertion part of the test uses the MetaverseHelper function DoesReferenceRelationshipExist, which takes as an input MVEntries of the origin of the reference (direct report) and the destination (manager), plus the name of the attribute on which the referential relationship is built. To get the MVEntries of the objects in question, we leverage the TryToGetMVEntryByActiveDirectoryDN helper method.

[TestClass]
    public class FIMShouldReflectManagerToDirectReportsRelationshipFeature : SyncTestHarness
    {
        private mms_metaverse mvEntryManager;

        [TestInitialize]
        public void TestSetup()
        {
            ActiveDirectoryStateMachine.TransitionFromNotInADToEnabled();
            var managerDN = (string)ActiveDirectoryStateMachine.GetAttributeValue("manager");
            Assert.IsFalse(string.IsNullOrEmpty(managerDN));
            mms_metaverse mvEntry;
            Assert.IsFalse(MetaverseHelper.TryToGetMVEntryByActiveDirectoryDN(
                ActiveDirectoryStateMachine.DistinguishedName,
                out mvEntry));
            Assert.IsTrue(MetaverseHelper.TryToGetMVEntryByActiveDirectoryDN(
                managerDN,
                out mvEntryManager));
        }

        [TestMethod]
        public void FIMConsumesManagerInfoFromAD()
        {
            RunProfileInvoker.RunFullCycle();

            mms_metaverse mvEntryDirectReport;
            Assert.IsTrue(MetaverseHelper.TryToGetMVEntryByActiveDirectoryDN(
                ActiveDirectoryStateMachine.DistinghuishedName,
                out mvEntryDirectReport));

            Assert.IsTrue(MetaverseHelper.DoesReferenceRelationshipExist(
                mvEntryDirectReport,
                mvEntryManager,
                GlobalSettingsConfig.MVAttributeNames.ManagerAttributeName));
        }
    }

// The function below assumes that the mms_mv_link was imported into your project

// See Appendix for details on connecting to the FIMSynchronizationService database via EntityFramework

public static bool DoesReferenceRelationshipExist(
            mms_metaverse source,
            mms_metaverse destination,
            string attributeName)
        {
            return (from reference in FIMEntities.mms_mv_link
             where reference.attribute_name.Equals(attributeName) &&
             reference.object_id == source.object_id &&
             reference.reference_id == destination.object_id
             select reference).Any();
        }

ConnectorSpaceHelper

This class makes use of three tables:

• mms_connectorspace – where CSEntries are stored. There are several important points related to this table:

1. The actually attribute values of a CsEntry are packaged in a binary blob stored in the hologram column. To decode this blob we need to use WMI call against MIIS_CSObject, see TryToGetCsEntryGuid function for details.
2. The objectGUID which uniquely identifies a CSEntry, is not stored in a column, but is packaged inside the hologram blob, hence the need for WMI call. We need this GUID to validate a join.
3. Only RDN of a CsEntry is stored in a column, which makes no difference in case of HR MA where the anchor is based on employeeID, but certainly something to keep in mind in case of AD MA.
4. Since an MVEntry could be joined to multiple CsEntries in different connector spaces, MAGuid is also required for unique CsEntry object identification.

• mms_csmv_link – where the links between CSEntries and MVEntries are recorded (both mvEntry and CsEntry objects are uniquely identified by a GUID). Each row in this table represents a join.

mv_object_id comes from the mms_metaverse, and cs_object_id is stored in the mms_connectorspace (inside the hologram)

• mms_management_agent – we the information on the MAs is stored. We will only need to access this table to get the mapping between the MA name and MA GUID.

namespace FIMTestCasesDriver.EnvironmentHelpers.FIM
{
    using System;
    using System.Globalization;
    using System.Linq;
    using System.Management;

    public static class ConnectorSpaceHelper
    {
        private static readonly ManagementScope FIMWmiNameSpace =
            new ManagementScope("root\\MicrosoftIdentityIntegrationServer");

        private static readonly FIMEntities FIMEntities = new FIMEntities();

        public static bool IsCsEntryConnectedToMvEntry(
            Guid mvEntryGuid,
            string csEntryDN,
            string maName)
        {
            Guid csEntryGuid;
            Guid maGUID;

            if (!TryToGetMAGuid(maName, out maGUID))
            {
                throw new Exception(
                    string.Format("Unable to find MAGuid for MAName:{0} in TryToGetCsEntryGuid", maName));
            }

            if (!TryToGetCsEntryGuid(csEntryDN, maGUID, out csEntryGuid))
            {
                return false;
            }

            return (from link in FIMEntities.mms_csmv_link
                    where link.mv_object_id == mvEntryGuid && link.cs_object_id == csEntryGuid
                    select link).Count() == 1;
        }

        private static bool TryToGetMAGuid(string maName, out Guid maGUID)
        {
            maGUID = (from ma in FIMEntities.mms_management_agent 
                      where ma.ma_name == maName 
                      select ma.ma_id).Single();
            return true;
        }

        private static bool TryToGetCsEntryGuid(
            string csEntryDN,
            Guid maGUID,
            out Guid csEntryGUID)
        {
            var csQueryString = string.Format(
                CultureInfo.CurrentCulture, "DN='{0}' and MaGuid='{{{1}}}'", csEntryDN, maGUID);
                   
            var csQuery = new SelectQuery("MIIS_CSObject", csQueryString);
            var csSearcher = new ManagementObjectSearcher(FIMWmiNameSpace, csQuery);
            var csObjects = csSearcher.Get();

            if (csObjects.Count > 1)
            {
                throw new Exception(string.Format(
  "Multiple connectors for the same DN detected{0}", csEntryDN));           

	   }

            if (csObjects.Count == 0)
            {
                csEntryGUID = Guid.Empty;
                return false;
            }

            var guid = string.Empty;
            foreach (ManagementObject csObject in csObjects)
            {
                guid = csObject["Guid"].ToString();
                break;
            }

            csEntryGUID = new Guid(guid);
            return true;
        }
    }
}

Appendix

Connecting to FIMSynchronizationService database via Entity Framework

 In order to get samples to work you will need to add FIM Sync Service Entity model into your test project

1. Using nuget add EntityFramework 4.1 into your test project

2. In your project add new item of type “ADO.NET Entity Data Model”

3. Create a new SQL connection to the server which hosts FIM Sync database

4. Select the tables referenced in the samples

5. Once the model is imported navigate to the edmx file, right-click and select to add “Code Generation Item”

6. Select “EF 4.X DbContext Generator”

References

https://openldap-ma.sourceforge.net/, the sample for decoding the hologram blob comes from this project.

This posting is provided "AS IS" with no warranties, and confers no rights.

Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm

During unit or integration tests, which involve database modifications, the following pattern is often utilized - 

var preChangeIntroducedValue = GetValueFromDB();

// introduce change

var postChangeIntoroducedValue = GetValueFromDB();

// Assert something about the relationship between pre and post values

If using Entity Framework for accessing database, it is important to remember that if the value in the database

changes between the calls to GetValueFromDB, Entity Framework will return the value originally placed into the 

preChangeIntroduceValue, hence your tests will be probably fail, even though the logic might be correct. The reason

for this is the cashing/tracking mechanism built-in into Entity Framework. To address this use AsNoTracking

option as illustrated by the example below.

        private static readonly FIMEntities FIMEntities = new FIMEntities();

public static bool TryToGetMVEntryByEmployeeID(string employeeID, out mms_metaverse mvEntryOut) { try { mvEntryOut = FIMEntities.mms_metaverse.AsNoTracking().Single(mvEntry => mvEntry.employeeID == employeeID); return true; } catch (Exception) { mvEntryOut = null; return false; }

              }

References:

Using DbContext in EF 4.1 Part 11: Load and AsNoTracking

During integration testing of FIM Synchronization Service it is often useful to programmatically invoke run profiles of 

FIM Sync Service, and later query the Metaverse and/or Connector spaces for the results of the run to validate proper 

rule execution. The sample below shows how to programmatically invoke run profiles.

Note that profiles run synchronously. 

This posting is provided "AS IS" with no warranties, and confers no rights. 

Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm

namespace FIMTestCasesDriver.EnvironmentHelpers.FIM
{
    using System.Management;

    public static class RunProfileInvoker
    {
        private const string FimSyncServiceWMINameSpace = "root\\MicrosoftIdentityIntegrationServer";
        private const string FimSyncServiceMAObjectSpace = "MIIS_ManagementAgent.Name";

        private const string FullImportAndFullSyncProfileName = "full import and full sync";

        private const string ExportAndDeltaImportStageOnlyProfileName = "export and delta import stage only";

        private const string ActiveDirectoryMAName = "AD";
        private const string ADLDSMAName = "ADLDS";
        private const string HRMAName = "HR";
        private const string RegistrationMAName = "Registration";

        public static void RunFullCycle()
        {
            RunProfile(
                ActiveDirectoryMAName,
                FullImportAndFullSyncProfileName);

            RunProfile(
                RegistrationMAName,
                FullImportAndFullSyncProfileName);

            RunProfile(
                HRMAName,
                FullImportAndFullSyncProfileName);

            RunProfile(
                ActiveDirectoryMAName,
                ExportAndDeltaImportStageOnlyProfileName);

            RunProfile(
                ADLDSMAName,
                ExportAndDeltaImportStageOnlyProfileName);
        }

        private static void RunProfile(
            string maName,
            string runProfileName)
        {
            var managementObject = new ManagementObject(
                FimSyncServiceWMINameSpace,
                string.Format("{0}=" + "'{1}'", FimSyncServiceMAObjectSpace, maName),
                null);
            var inParameters = managementObject.GetMethodParameters("Execute");
            inParameters["RunProfileName"] = runProfileName;
            managementObject.InvokeMethod("Execute", inParameters, null);
        }
    }
}

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm

Business Scenario

Many Java applications now utilize Active Directory as a source of authentication, in some situations it may be required to set Active Directory password from within Java applications. I encountered a scenario where majority of the users of a Java application were on Active Directory, but for a small percentage of users that do not log-in to Active Directory from their desktops we needed to provide a functionality within the application to set user passwords.

Prerequisites

• This scenario was only tested against a Windows 2003 Domain
• JKD 1.5.0_03 was used to run the sample code
• You will need to connect to Active Directory with a user account that has permissions to reset passwords
• PKI Certificates used in this scenario were issued by Microsoft Certificate Server configured in Active Directory integrated mode

Setup SSL trust between Active Directory Domain Controller(s) and Java application

Active Directory Domain Controllers will only allow password set operations over an SSL channel, therefore both parties should have a common trusted root certificate in their certificate stores. The simplest way to accomplish this is to export a trusted root certificate from a Domain Controller and import it into Java certificate store on the client machine.

Configuring SSL on Active Directory Domain Controllers

Active Directory Domain Controllers automatically enroll for domain controller certificate and utilize it for secure LDAP communications if Active Directory integrated Microsoft Certificate Server is deployed within the Forest. So in other words, if you deployed Microsoft Certificate Server in Active Directory integrated mode, then you don't need to do anything else on Active Directory side, all domain controllers will use SSL on port 636.

For instructions on how to setup Microsoft Certificate Server follow this link.

Importing Trusted Root Certificate on a Java client machine

On the client side we need to import a mutually trusted root certificate into Java certificate store. In our case we will export the root certificate issued by Microsoft Certificate Server and import it into Java store on the client.

1. On a Domain Controller log-in as an administrator and open Internet Explorer. Go to Tools->Internet Options->Content and click on Certificates

2. Switch to Trusted Root Certificate Authorities Tab and Select the certificate issued by your Active Directory integrated Certificate Server. Click on Export

3. Choose Base-64 encoded X.509(.CER)

4. Specify file name for the exported certificate

5. Finish the export and copy the exported .cer file to the Java client machine

6. At the client machine execute the following command.

Note the location of the jks file, you will need to reference it later on in the code.

Alias and keystore password are arbitrary values

Sample program to change Active Directory user password from Java

Now that SSL staff is out of the way compile this sample code and run it from the Java client

This code was developed by Jeremy Mortis here is link to the original code

import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
import java.util.*;
import java.security.*;
public class ADConnection {
DirContext ldapContext;
String baseName = ",cn=users,DC=fabrikam,DC=com";
String serverIP = "10.1.1.7";
public ADConnection() {
try {
Hashtable ldapEnv = new Hashtable(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://" + serverIP + ":636");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=administrator" + baseName);
ldapEnv.put(Context.SECURITY_CREDENTIALS, "PA$$w0rd");
ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
ldapContext = new InitialDirContext(ldapEnv);
}
catch (Exception e) {
System.out.println(" bind error: " + e);
e.printStackTrace();
System.exit(-1);
}
}
public void updatePassword(String username, String password) {
try {
String quotedPassword = "\"" + password + "\"";
char unicodePwd[] = quotedPassword.toCharArray();
byte pwdArray[] = new byte[unicodePwd.length * 2];
for (int i=0; i<unicodePwd.length; i++) {
pwdArray[i*2 + 1] = (byte) (unicodePwd[i] >>> 8);
pwdArray[i*2 + 0] = (byte) (unicodePwd[i] & 0xff);
}
ModificationItem[] mods = new ModificationItem[1];
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
new BasicAttribute("UnicodePwd", pwdArray));
ldapContext.modifyAttributes("cn=" + username + baseName, mods);
}
catch (Exception e) {
System.out.println("update password error: " + e);
System.exit(-1);
}
}
public static void main(String[] args) {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// the keystore that holds trusted root certificates
System.setProperty("javax.net.ssl.trustStore", "c:\\myCaCerts.jks");
System.setProperty("javax.net.debug", "all");
ADConnection adc = new ADConnection();
adc.updatePassword("Java User2", pass@word3);
}
}

Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm 

Since SSHA (Salted SHA1) is now most commonly used in storing password hashes in OpenLDAP, folks who need to create accounts on this system from .NET (ex. Forefront Identity Manager FIM), may find this sample useful.

      public static string GenerateSaltedSHA1(string plainTextString)
      {
            HashAlgorithm algorithm = new SHA1Managed();
            var saltBytes = GenerateSalt(4);
            var plainTextBytes = Encoding.ASCII.GetBytes(plainTextString);

            var plainTextWithSaltBytes = AppendByteArray(plainTextBytes, saltBytes);
            var saltedSHA1Bytes = algorithm.ComputeHash(plainTextWithSaltBytes);
            var saltedSHA1WithAppendedSaltBytes = AppendByteArrays(saltedSHA1Bytes, saltBytes);
           
            return "{SSHA}" + Convert.ToBase64String(saltedSHA1WithAppendedSaltBytes);
      } 

        
       private static byte[] GenerateSalt(int saltSize)
       {
            var rng = new RNGCryptoServiceProvider();
            var buff = new byte[saltSize];
            rng.GetBytes(buff);
            return buff; 
       }

 private static byte[] AppendByteArray(byte[] byteArray1, byte[] byteArray2)
 {
      var byteArrayResult =
              new byte[byteArray1.Length + byteArray2.Length];

      for (var i = 0; i < byteArray1.Length; i++)
           byteArrayResult[i] = byteArray1[i];
      for (var i = 0; i < byteArray2.Length; i++)
           byteArrayResult[byteArray1.Length + i] = byteArray2[i];

      return byteArrayResult;
  }
  

References

How To: Hash Data with Salt (C#/VB.NET)  

What are {SHA} and {SSHA} passwords and how do I generate them? (from OpenLDAP documentation)

Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm 

The sample code below provides a helper class, which performs a paged search against an LDAP directory.

I tested this code against OpenLDAP 2.4.31. The code is based on the samples provided by Ethan Wilansky, 

see link at the end of the post. 

using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Net;
using System.Security;

namespace OpenLDAPNextUID
{
    public class LDAPHelper
    {
        private readonly LdapConnection ldapConnection;
        private readonly string searchBaseDN;
        private readonly int pageSize;

        public LDAPHelper(
            string searchBaseDN,
            string hostName,
            int portNumber,
            AuthType authType,
            string connectionAccountName,
            SecureString connectionAccountPassword,
            int pageSize)
        {
            
            var ldapDirectoryIdentifier = new LdapDirectoryIdentifier(
                hostName,
                portNumber,
                true,
                false);
            
            var networkCredential = new NetworkCredential(
                connectionAccountName,
                connectionAccountPassword);

            ldapConnection = new LdapConnection(
                ldapDirectoryIdentifier,
                networkCredential) 
                {AuthType = authType};

            ldapConnection.SessionOptions.ProtocolVersion = 3;
            
            this.searchBaseDN = searchBaseDN;
            this.pageSize = pageSize;
        }

        public IEnumerable<SearchResultEntryCollection> PagedSearch(
            string searchFilter,
            string[] attributesToLoad)
        {

            var pagedResults = new List<SearchResultEntryCollection>();

            var searchRequest = new SearchRequest
                    (searchBaseDN,
                     searchFilter,
                     SearchScope.Subtree,
                     attributesToLoad);


            var searchOptions = new SearchOptionsControl(SearchOption.DomainScope);
            searchRequest.Controls.Add(searchOptions);

            var pageResultRequestControl = new PageResultRequestControl(pageSize);
            searchRequest.Controls.Add(pageResultRequestControl);

            while (true)
            {
                var searchResponse = (SearchResponse)ldapConnection.SendRequest(searchRequest);
                var pageResponse = (PageResultResponseControl)searchResponse.Controls[0];

                yield return searchResponse.Entries;
                if (pageResponse.Cookie.Length == 0)
                    break;

                pageResultRequestControl.Cookie = pageResponse.Cookie;
            }

            
        }
    }
}

Example of using the helper class

using System;
using System.DirectoryServices.Protocols;
using System.Security;

namespace OpenLDAP
{
    class Program
    {
        static void Main(string[] args)
        {
            var password = new[]{'P','a','s','s','w','@','r','d'};
            var secureString = new SecureString();
            foreach (var character in password)
                secureString.AppendChar(character);

            var baseOfSearch = "dc=fabrikam,dc=com";
            var ldapHost = "ubuntu.fabrikam.com";
            var ldapPort = 636; //SSL
            var connectAsDN = "cn=admin,dc=fabrikam,dc=com";
            var pageSize = 1000;

            var openLDAPHelper = new LDAPHelper(
                baseOfSearch,
                ldapHost,
                ldapPort,
                AuthType.Basic, 
                connectAsDN,
                secureString,
                pageSize);

            var searchFilter = "nextUID=*";
            var attributesToLoad = new[] {"nextUID"};
            var pagedSearchResults = openLDAPHelper.PagedSearch(
                searchFilter,
                attributesToLoad);

            foreach (var searchResultEntryCollection in pagedSearchResults)
                foreach (SearchResultEntry searchResultEntry in searchResultEntryCollection)
                    Console.WriteLine(searchResultEntry.Attributes["nextUID"][0]);

            Console.Read();

        }
    }
}

Links

Introduction to System.DirectoryServices.Protocols (S.DS.P) by Ethan Wilansky

From OpenLDAP 2.4 Administration guide, “Since OpenLDAP 2.0 slapd has had the ability to delegate password verification to a separate process. This uses the sasl_checkpass function so it can use any back-end server that Cyrus SASL supports for checking passwords. The choice is very wide, as one option is to use saslauthd(8) which in turn can use local files, Kerberos, an IMAP server, another LDAP server, or anything supported by the PAM mechanism”.

This particular functionality of OpenLDAP should be of special interest for environments where long term co-existence between OpenLDAP and Active Directory is required. By establishing pass-through authentication the following advantages could be achieved:

• Great end-user experience. No need to remember multiple passwords
• Increased security, due to the reduction of the attack surface (one less password store in the environment)
• Single password policy

The rest of the post will expand on the instructions provided by the OpenLDAP 2.4 Administration guide on establishing pass-through authentication from OpenLDAP to Active Directory. Specifically, will will leverage the capability of SASL to use LDAP as an authentication back-end. In our case, Active Directory will play a role of such authentication back-end.

Lab environment used for documenting the steps

• OpenLDAP version of 2.4.25 running on Ubuntu Server 11
• OpenLDAP was installed and configured using Ubuntu OpenLDAP Server documentation page
• Active Directory on Windows Server 2008 R2

Active Directory Configuration

In order to secure authentication requests coming from OpenLDAP to Active Directory we need to ensure that LDAPS (Secure LDAP) is enabled on Active Directory Domain Controllers.

If you already established Windows based PKI, specifically Active Directory Enterprise CA, your Domain Controllers are already listening on LDAPS port. This occurs automatically, via auto-enrollment process.

You can confirm check whether your Domain Controllers are listening on LDAPS port by:

1. Checking local certificate store on a domain controller, and ensuring that there is a certificate with the template of DomainController.

2. Launching lpd.exe, and choosing SSL option

In case of a successful connection you should see output similar to this

For details on configuring PKI on Windows Server 2008 see Technet documentation

If you leverage PKI on a non-Windows based platform, see this article on how to enable LDAPS using 3rd party certificates on Active Directory Domain Controllers.

Building CA trust to Active Directory CA

LDAP client on the OpenLDAP server will need to validate the chain of trust of the certificates utilized by the Domain Controllers.

To be more specific the TLS_CACERT directive in the /etc/ldap/ldap.conf needs to point to a certificate of a CA, which signed the SSL certificates for the Active Directory Domain Controllers. If a multi-tiered CA structure is utilized, then all certificates of the CAs in the chain need to be included in the PEM encoded certificate.

In this walkthrough I will assume that OpenLDAP is utilizing an SSL certificates signed by a CA, different from the CA utilized in the Active Directory environment. TLS_CACERT directive points to a certificate of this CA utilized in the Unix environment.

To accommodate this scenario, we need to make the LDAP client on the OpenLDAP server trust both CAs: the one which singed the certificate for the OpenLDAP server, and the CA which singed the certificates for the Domain Controllers. We will leverage the fact that PEM encoded certificates can contain multiple entries.

Exporting Active Directory Root CA certificate and making it available on the OpenLDAP server

1. Locate the certificate of the CA which signed the SSL certificates of the Domain Controller.

2. Export it in Base-64 encoded format

3. Save the certificate

4. Copy the certificate to the OpenLDAP server. I used WinSCP to accomplish this.

5. Concatenate the two certificates into a new joined one.

In this example /etc/ssl/certs/cacert.pem is the certifcate of the CA which signed the SSL cert for OpenLDAP and ad.cer is the certificate we copied in the previous step.

If you open the resulting PEM file in a text editor you should see two sections of “BEGIN CERTIFICATE”

5. Update TLS_CACERT directive to point to the new “joined” certificate

6. At this stage you should be able to issue a query over SSL to a Domain Controller.

The example above assumes that DNS resolution works across Windows and Unix environments. Remember that SSL certificates are sensitive to host names, hence the name of the host (-H parameter in the query) should match the subject name in the certificate

Configure SASLAUTHD

1. Install SASL command-line tools. Other components of SASLAUTHD are installed as part of OpenLDAP installation.

Configure SASLAUTHD via /etc/default/saslautd

Set automatic start of the SASLAUTHD service

Enable LDAP authentication mechanism

Give OpenLDAP service account access to SASLAUTHD service

1. To determine the account under which SLAPD is running check SLAPD_USER parameter in /etc/default/slapd

2.  Add OpenLDAP service account to the sasl group

Setup up connection and search parameters to Active Directory for SASLAUTHD

Create and edit /etc/saslauthd.conf

In this above sample configuration:

• tfs.fabrikam.com is an Active Directory domain controller. Multiple ldaps urls could be specified.
• sAMAccountName is an Active Directory attribute guaranteed to be unique in an Active Directory domain.
• sAMAccountName = %u, could be expanded to read sAMAccountName = UID.
• Essentially, this directive specifies how objects will be linked across two systems. In this particular example, we assume that UID and sAMAccounName attributes, for a specific user, will have the same value, hence provide the mapping. This consistency should either be enforced procedurally or via a synchronization service (ex. Forefront Identity Manager)
• sAMAccountName attribute was chosen arbitrarily, any other unique attribute could be utilized.

• cn=saslauthd,cn=Users,dc=fabrikam,dc=com is a DN of an Active Directory account, in which context SASLAUTHD will perform queries against Active Directory. This account does not require any special privileges.

Let’s look at the sequence of events which would take place while performing authentication for the query below, based on the configuration directives in our sample /etc/saslauthd.conf

1. SLAPD locates the object with DN of cn=johnd,ou=People,dc=fabrikam,dc=com
2. If the object with this DN has value of {SASL}johnd@fabrikam.com in the userPassword property, SLAPD will hand over authentication to SASLAUTHD (pass-through authentication).
3. SASLAUTHD will query Active Directory for an object which sAMAccountName value equals  to johnd (value of UID attribute in OpenLDAP).
4. If such object is found, SASLAUTHD will attempt to authenticate against Active Directory using the DN and password of the located object (password was provided by the end-user in the query).
5. If authentication to Active Directory is successful, user is automatically authenticated against OpenLDAP.

Test SASLAUTHD

Successful test.

For the –u parameter specify a valid sAMAccountName value in Active Directory.

Unsuccessful test, wrong password provided.

If you run into issues with this test, see the troubleshooting section at the end of this post.

Configure SLAPD to utilize SASLAUTHD

Now we need to tell SLAPD to utilize SASLAUTHD for authentication. This is accomplished by creating and editing /etc/ldap/sasl2/slapd.conf

Setup default REALM in SLAPD cn=config

Provide olcSaslRealm directive

Configure user object to be authenticated via SASL

Troubleshooting

If things go wrong, several log files and debug options could help.

1. Checking /var/log/auth.log. Here you will find details on the LDAP authentication failures

2. Checking  SASLAUTHD error messages in /var/log/syslog

Running ldapsearch with debug option, may help when troubleshooting certificate trust chain validation.

Cross-nested groups, in my definition, constitute a scenario where GroupA is nested into GroupB, and GroupB is nested into GroupA (GroupA <-> GroupB).

Why would you consider detecting this condition:

• Since Active Directory group structure is intended to be hierarchical, cross-nesting is typically an oversight of an administrator, and should be corrected
• Cross-nested groups should, in most cases, be converted into a single group or nested into a mutual parent (of course removing the cross-nesting at the same time).

Overall, elimination and/or reduction of cross-nesting may help in the following areas:

• simplification of group management
• dealing with token bloat
• reduce attack surface

Reporting environment setup

The instructions for setting up the environment will be very similar to what I described in my previous post Reporting on privileged Active Directory accounts with SQL Server. The SSIS package and the SQL schema are essentially the same for both scenarios. I suggest you follow that walkthrough first.

LDAP Query

Below is the LDAP query which SSIS Active Directory Source component will use to get the data we need.

(|(objectCategory=Person)(objectCategory=group))

Technically speaking, we don’t need the user objects for this specific query, but since we may also want to run some other reports, I included user objects as well.

SQL Query

The logic behind the query in vwCrossNestedSecurityGroups view is to self-join the Members table based on the reversed combination of groupDN and memberDN. For example, record groupA –> groupB will try to find a record groupB->groupA (crossing).

To simplify the query I created an underlying view, which filters-out user members from the Members table (vwDirectGroupMembers), hence focusing only on the group nesting.

Notice that in the query I filter-out distribution lists (groupType < 0). Security groups the groupType of –214748364X (X varies based on the scope of the group). If you are interested in distribution lists as well, simply remove  the WHERE clause.

Note on hardware

When I ran this query against the Members table with 9 millions rows, the memory utilization on my lab machine went from 2G to 9.5G, which I guess was to be expected.

Just something to keep in mind if you are working with a large data set.

Links

SQL script which will generate the required database schema

SSIS Project

When you application is deployed into production it will be probably accessed like this https://myapp.mycompnay.com. It will also be subjected to various IIS configuration settings: authentication, authorization, custom routing, etc. But when you develop and test it, probably, lives in IIS express; and accessed like something like this https://localhost/myapp:400004.

Since most of the walkthroughs demonstrate configuration of the development environment using IIS Express, I would like to document the steps of using IIS 7.5 and creating the URL structure which resembles your desired end state. I am doing this because I myself had to spent considerable amount of time in accomplishing what might appear as a simple task.

The overall process can be divided into three stages:

• OS/Browser configuration
• IIS configuration
• Visual Studio configuration

OS and Browser

Let’s assume that in production our application will be accessed as https://myapp.mycompany.com. In order to mimic the same URL structure in our development environment we need to perform the following steps:

• Add an entry to the hosts file for myapp.mycompnay.com. This step is required unless, your DNS server will resolve myapp.mycompany.com to your development server.

• If your application will be using Windows Integrated Authentication, you need to disable LSA loopback (KB896861), otherwise you will be getting access deny errors due to the host name mismatch.
• Also to prevent credential prompts in IE add https://myapp.mycompany.com to the local intranet zone in IE.

• Create a folder where your application files will reside

• Optional, but recommended, add a user account which we will be used to run the application pool for your web application

Create IIS Site

Create application pool

The name could be arbitrary, but make sure to select the .NET framework version in which you will be developing your app.

Once the pool is created, open Advanced Settings, and change the identity of the pool to the name of the user account you created in previous steps.

Create new Site

The name of the site is arbitrary.

Choose the name of the application pool you created in the previous step.

The value in the host name field should correspond to the record you added to your host file.

Configure Visual Studio

In Visual Studio create a new Web Site

In the location of the site select HTTP, then click on Browse.

Select IIS and then select the site

If required, enable Windows Integrated authentication in the web.config or IIS Manager

Test by debugging the app.